#PhoneNumber

Kevin Karhan :verified:kkarhan@infosec.space
2025-06-13

@cryptgoat @signalapp @Mer__edith I sincerely doubt that.

2025-06-09

A Researcher Figured Out How to Reveal Any #PhoneNumber Linked to a #Google Account

Phone numbers are a goldmine for #SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack.
#privacy

wired.com/story/a-researcher-f

Dendrobatus AzureusDendrobatus_Azureus@bsd.cafe
2025-06-09

Interesting set of developments that someone was able to figure out how to extract your mobile numbers from Google accounts

If this White Hat had found it and told Google to Plug The Leak it may have meant black hats found it a long time ago and exploited it in the Wild

Warning paywall

#Android #infosec #GSM #google #Alphabet #phonenumber

404media.co/a-researcher-figur

The image shows a smartphone screen displaying a podcast interface. At the top, the text "LISTEN TO THE 404 MEDIA PODCAST" is visible, with a green underline beneath "PODCAST." The time is 13:47, and the battery is at 93%. Below this, there is a large "404" with a green line crossing it out. The source of the article is "WIRED," with the article title "A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account" by Joseph Cox, dated June 9, 2025, at 10:00 AM. The URL "404media.co/a-researcher" is shown at the bottom, with a lock icon and a number "45" indicating a notification count.

 Ovis2-8B

🌱 Energy used: 0.212 Wh
Kevin Karhan :verified:kkarhan@infosec.space
2025-05-23

@silhouette @richi @signalapp @torproject

1. You completely miss the points! There is no "#TechnicalNecessity" to demand #PII like a #PhoneNumber - espechally for a "#privacy"-focussed messenger!

2. & 3. #Signal is able and willing to comply with #Cyberfacism and pushing a #Shitcoin (#MobileCoin) makes it trivial to criminalize the App for "illegal & unregilated banking". If #Moxie or @Mer__edith cared they'd yeet that thing (or didn't even integrate it to begin with!) to avoid the attention. And yes Signal does restrict the App functionality when using a phone number from #Russia & #Iran (among other nations), thus affecting not only those in need of safe comms but by sending a verification code to them, earmarking them for police & intelligence. Which bings.me to the 1st agrument.

4. #Tor has a stellar record in terms of stability, integrity and censorship circumvention. DIY'ing something instead if following almost two decades of solid progress is absurd and violates "don't roll your own crypto" as a rule!

5. Only with #SelfCustody can you protect your own data. Or do you really expect Staff from Signal to not talk when facing lifetime in jail? If they have the keys, they can decrypt it, thus their #E2EE is just a "#TrustMeBro!" concept. I mean, what prevents them from being forced into backdooring all comms to @icij as per #NSL? Any "guarantee" without self-custody is worthless by virtue of being unenforceable!

Signal pushing #TechPopulism instead of teaching folks that their #ComSec is worth diddly-piss wothout.#OpSec, #InfoSec & #ITsec is dangerous!

  • And yes claiming "JuSt UsE sIgNaL!" is dangerous in the era of #Trump's #cyberfacist regime acting as it does (like with the #ICC)!

Not to mention there are better options that don't do that shite (i.e. demand PII) and just work. @monocles / #monoclesChat & @delta / #deltaChat for example can adapt way better to said risks and ain't run by a #VCmoneyBurningParty!

Kevin Karhan :verified:kkarhan@infosec.space
2025-05-22

@richi Except @signalapp is not "#Privacy-first" cuz if #Signal did, they'd not.demand #PII (#PhoneNumber) nor remain in the #USA (#CloudAct) nor peddle #Shitcoin-#Scams (#MobileCoin) and put their tech on @torproject / #Tor and fully #decentralized.with 100% #SelfCustody of all the keys!

Kevin Karhan :verified:kkarhan@infosec.space
2025-05-22

@GossiTheDog @signalapp it merely prevents #Screenshots by claiming it's #DRM'd content.

The correct solution for #Signal would be to alert all their users and specifically block #Windows in general or at least #Windows11 simply because it is a #Govware and empirically cannot be made private or secure.

But that would require them to actually give a shit, which thed don't, cuz otherwise they would've stopped demanding #PII like a #PhoneNumber and moved out of juristiction of #CloudAct.

  • I mean, what's gonna prevent the #Trump-Regime from threatening @Mer__edith et. al. with lifetime in jail for not kicking the #ICC (or anyone else he and his fans dislike) from #Signal's infrastructure?

Since they are highly centralized.they certainly are capable to comply with "#Sanctions" (or whatever bs he'll claim!)...

2025-04-28

[image removed by user]


#hotline #suicide #phone-number
Kevin Karhan :verified:kkarhan@infosec.space
2025-04-26

@dave_andersen @AVincentInSpace personally I consider any "#KYC" a risk-factor, and @signalapp has proven their ability and willingness to restrict functionality (i.e. their #Shitcoin-#Scam #MobileCoin) based off said #PhoneNumbers (Cuban, Russian and North Korean Numbers were excluded) which are in fact #PII (even if one doesn't have to #ID for obtaining a #SIM, they are circumstantial PII)...

  • They have neither "legitimate interest" nor legal mandate to collect said data (or to integrate a scammy Shitcoin for that matter) as the discontinuation of #ChatSecure / #TextSecure has eliminated the "technical necessity" to have those.

Either way they either have to yeet #Hegseth as client and/or stop collecting PII like PhoneNumbers - they gotta have to do something…

#ITsec is a different story, but unlike #Signal these do not depend on a #PhoneNumber and work through @torproject / #Tor.

  • And I've been using Tor for almost 15 years daily now...
2025-04-25

Your mistakes makes no difference to us. But it’s our mission to educate you

Thanks @oliora for the picture

#Facebook #PhoneNumber #Validation

Kevin Karhan :verified:kkarhan@infosec.space
2025-04-22

@lastquake a #XMPP-#Bot would be even better, as #Telegram demands #PII in the form of a #PhoneNumber!

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-27

@dzwiedziu @fj @signalapp not really, as the #Metadata #FUD cited by #Signal is mitigateable with proper measures.

  • You can't even run Signal over @torproject and even if that point is moot when you're forced to quasi-#KYC by virtue of a #PhoneNumber aka. #PII they have neither legitimate interest nor technical reason to demand in the first place!

Every claim that things like #ITsec, #InfoSec, #OpSec & #ComSec can be solved with "Just use Signal!" is "#TechPopulism" at best if not being a "#UsefulIdiot"!

#EOD #thxbye #next

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-27

@pixelcode @taylan Your nonchalant "So what?" gets people publicly murdered by the state in many juristictions...

  • Which is why there is no substitute to teaching proper #TechLiteracy ffs!

If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.

If you do think so then you should really get some professional help, cuz you seem rather lost...

  • #Signal doesn't even bother to have an #OnionService, much less to provide means to use their service without self-doxxing with a #PhoneNumber, which at best is pseudonymous and requires money to attain and maintain...

It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-27

@Andromxda @pixelcode How can you claim something you can't evidence?

It makes you look like one of those folks shilling #VPN|s that ain't logless after all...

  • I don't believe in #marketing #lies and #Signal can't (and won't) be able to evidence that they don't log shit.

At least they should be honest about things and not claim bs, cuz demanding a #PhoneNumber is just #KYC with extra steps like demanding any #SSN or other #PII. Makes them look like chinese MMORPGs that demand ID card numbers for account signups, thus #paywalling the ability to use their service anonymously...

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-25

@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-25

@walkinglampshade @jrredho @fj It's basic #InfoSec, really:

Thus #Signal fails at protevting #Journalists and theor sources because they do have that data and can be #subopena'd for it if they don't already provide #BulkSurveillance & #LawfulInterception #API|s to comply with #CloudAct. (Or are you guys so naive and believe @Mer__edith will risk dying of old age in jail for non-paying users?)

  • This entire "thread vector" just doesn't exist with #XMPP+#OMEMO nor #PGP/MIME!

And if you believe "this won't ne used/abused me because I'm from 'Murica!" and point at #ANØM as an example, then you really ignored all tze #Cyberfacism since 9/11…

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-25

@nemo Except #Signal demanding #PII like a #PhoneNumber, being subject to #CloudAct an shilling #MobileCoin, a blatant #Shitcoin #Scam disqualifies them!

Kevin Karhan :verified:kkarhan@infosec.space
2025-03-25

@licho @osman provide evidence the code @signalapp released is actually being deployed.

Not to mention pushing a #Shitcoin-#Scam (#MobileCoin) disqualifies #Signal per very design!
youtube.com/watch?v=tJoO2uWrX1M

  • Given the collection of #PII like #PhoneNumbers, the ability to restrict functionality based off those and the fact that #Signal is subject to #CloudAct make it inherently not trustworthy.

And don't even get me started on the fact.it's not sustainable to run it as a #VCmoneyBurningParty!

Same as identifying users: They already got a #PhoneNumber which in many juristictions one can't even obtain without #ID legally, thus making it super easy to i.e. find and locate a user. Even tze cheapest LEAs can force their local M(V)NOs to #SS7 a specific number...

  • All these are unnecessary risks, that could've been avoided, but explicitly don't even get remediated retroactively!

Again: Signal has a #Honeypot stench, and you better learn proper #E2EE, #SelfCustody and #TechLiteracy because corporations can't pull the 5th [Amendment] on your behalf!

Kevin Karhan :verified:kkarhan@infosec.space
2025-02-24

@soatok @jwildeboer I still disagree because it completely ignores @signalapp being #centralized, #SingleVendor & #SinglePrivider, demanding #PII in the form of a #PhoneNumber, being able and willing to restrict functionality based off that and being subject to #CloudAct.

  • And with #Trump's regime going apeshit, the #USA are more and more a #risk factor!

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst